I have published Internet Explorer 11 from a server via published App in Horizon. The users need to use a smart card reader connected to their computers and then transfer the connection to the connected application via Horizon Client.
The problem is that, when any user connects the USB smartcard reader to the app I receive an error at server that indicates:
ERROR 602 Smart Card Service : WDM Reader driver initialization cannot open reader device : Access Denied
So the web app loaded into the Internet Explorer puiblished app cannot access the certificates inside de card reader.
If I try to connect the smartcard reader via RDS connection with same user it works, so that makes me think it's a problem with some inside horizon agent and/or client.
Horizon Client 4.10.0
Server Windows 2016 Standard
A couple of things can be the culprit here.
- On your RDS system(s), do they have the correct SC drivers installed?
- Is the smart card redirection feature installed with the View agent?
- Are the CA's for the smart card installed properly within the RDS host?
Those are usually the top three issues that I've come across with being unable to use smart cards in a VDI/RDSH environment.
A quick test you can do is RDP to one of the RDS systems and redirect your smart card that way and test the web app. Also run from a command line "certutil -scinfo" to verify that your particular cards and certs can be read.
If I connect via RDS to the server and transfer the SC reader to the server, it works perfectly. The problem is when I execute the app via published app, when I connect the SC reader to horizon client is when I can see the error on the server event logs.
The "certutil -scinfo" works when connecting to RDS.
Was unaware the SC redirection wasn't available with the RDS role - haven't really played around with remote apps and Smart Cards all that much yet.
However, are your users authenticating to the connection servers with SCs or Username/Password?
Are you able to see the USB device connecting properly in the Agent log/debug log?
The users authenticate vith horizon client with user/password. Then the client presents the published apps (Internet Explorer) to the user; I (or the user) connect to the IE app and then I transfer the SC reader to the app via USB configuration of Horizon Client.
At this point I see the following error in the Windows Event Log:
In english: wdm reader driver initialization cannot open reader device. Error 602.
In agent logs I see the following entries related to the SC reader:
2019-04-10T16:22:09.238+02:00 INFO (0FD0-146C) <MessageFrameWorkShare> [pcoip_mfw] service: register of virtual channel Smart Card Virtual Channel ok
But the card reader doesn't work.